James MacLean wrote:
James MacLean wrote:
Hi Folks,
Recently (I believe since recent 3.0.x releases), I have been unable to login to a Samba instance using CIFS (Linux mount) or Windows 2003. If I change the smb.conf from:
security = server to security = user
I _can_ login again fine. The NT PDC always replies with NT_STATUS_LOGON_FAILURE. It's event viewer shows that the proper username is being used, but that the password is not correct.
Logging in with smbclient or 2000 or XP is fine, although possibly slow as if it is trying one way, failing then trying another.
Always failing at auth/auth_server.c:check_smbserver_security(363).
I'm usually not too bad at digging in and at least having a clue with these problems, but this time I am lost. Did Google searches, looked at the archives and although I saw similar problems, they where either fixed with something that didn't work here, or the question was not answered :(.
Any help, even to look at something obvious, appreciated, JES
By setting "use spnego = no" I am able to authenticate the Windows 2003 servers against the Samba server that uses an NT4 server for authentication. It appears that Windows 2003 makes Samba think that it should use spnego to authenticate against an old NT domain :(? According to the man :
Unless further issues are discovered with our SPNEGO implementation, there is no reason this should ever be disabled.
So having now found a reason ;), I still can not log in from a Linux system using CIFS (smbfs is fine).
Some logging:
[2004/11/20 22:32:49, 3] smbd/oplock.c:init_oplocks(1302)
open_oplock_ipc: opening loopback UDP socket.
[2004/11/20 22:32:49, 3] smbd/oplock_linux.c:linux_init_kernel_oplocks(303)
Linux kernel oplocks enabled
[2004/11/20 22:32:49, 3] smbd/oplock.c:init_oplocks(1333)
open_oplock ipc: pid = 6701, global_oplock_port = 44311
[2004/11/20 22:32:49, 3] lib/access.c:check_access(313)
check_access: no hostnames in host allow/deny list.
[2004/11/20 22:32:49, 2] lib/access.c:check_access(324)
Allowed connection from (10.227.7.66)
[2004/11/20 22:32:49, 3] smbd/process.c:process_smb(1092)
Transaction 0 of length 51
[2004/11/20 22:32:49, 3] smbd/process.c:switch_message(887)
switch message SMBnegprot (pid 6701) conn 0x0
[2004/11/20 22:32:49, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/11/20 22:32:49, 3] smbd/negprot.c:reply_negprot(461)
Requested protocol [NT LM 0.12]
[2004/11/20 22:32:49, 3] lib/util_sock.c:open_socket_out(752)
Connecting to 10.227.0.8 at port 445
[2004/11/20 22:32:49, 2] lib/util_sock.c:open_socket_out(789)
error connecting to 10.227.0.8:445 (Connection refused)
[2004/11/20 22:32:49, 3] lib/util_sock.c:open_socket_out(752)
Connecting to 10.227.0.8 at port 139
[2004/11/20 22:32:49, 3] auth/auth_server.c:server_cryptkey(75)
connected to password server MYSERVER
[2004/11/20 22:32:49, 3] auth/auth_server.c:server_cryptkey(100)
got session
[2004/11/20 22:32:49, 3] auth/auth_server.c:server_cryptkey(133)
password server OK
[2004/11/20 22:32:49, 3] auth/auth_server.c:auth_get_challenge_server(183)
using password server validation
[2004/11/20 22:32:49, 3] smbd/negprot.c:reply_nt1(327)
not using SPNEGO
[2004/11/20 22:32:49, 3] smbd/negprot.c:reply_negprot(549)
Selected protocol NT LM 0.12
[2004/11/20 22:32:49, 3] smbd/process.c:process_smb(1092)
Transaction 1 of length 220
[2004/11/20 22:32:49, 3] smbd/process.c:switch_message(887)
switch message SMBsesssetupX (pid 6701) conn 0x0
[2004/11/20 22:32:49, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/11/20 22:32:49, 3] smbd/sesssetup.c:reply_sesssetup_and_X(655)
wct=13 flg2=0xc001
[2004/11/20 22:32:49, 3] smbd/sesssetup.c:reply_sesssetup_and_X(789)
Domain=[EDUC] NativeOS=[Linux version 2.6.10-rc1] NativeLanMan=[CIFS VFS Client for Linux] PrimaryDomain=[]
[2004/11/20 22:32:49, 2] smbd/sesssetup.c:setup_new_vc_session(608)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2004/11/20 22:32:49, 3] smbd/sesssetup.c:reply_sesssetup_and_X(804)
sesssetupX:[EMAIL PROTECTED]
[2004/11/20 22:32:49, 3] auth/auth.c:check_ntlm_password(219)
check_ntlm_password: Checking password for unmapped user [EMAIL PROTECTED] withthe new password interface
[2004/11/20 22:32:49, 3] auth/auth.c:check_ntlm_password(222)
check_ntlm_password: mapped user is: [EMAIL PROTECTED]
[2004/11/20 22:32:55, 1] auth/auth_server.c:check_smbserver_security(363)
password server MYSERVER rejected the password
[2004/11/20 22:32:55, 2] auth/auth.c:check_ntlm_password(312)
check_ntlm_password: Authentication for user [JUSTME] -> [JUSTME] FAILED with error NT_STATUS_LOGON_FAILURE
[2004/11/20 22:32:55, 3] smbd/error.c:error_packet(129)
error packet at smbd/sesssetup.c(887) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
[2004/11/20 22:32:55, 3] smbd/process.c:timeout_processing(1337)
timeout_processing: End of file from client (client has disconnected).
[2004/11/20 22:32:55, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/11/20 22:32:55, 2] smbd/server.c:exit_server(571)
Closing connections
[2004/11/20 22:32:55, 3] smbd/connection.c:yield_connection(69)
Yielding connection to
[2004/11/20 22:32:55, 3] smbd/connection.c:yield_connection(76)
yield_connection: tdb_delete for name failed with error Record does not exist.
[2004/11/20 22:32:55, 3] smbd/server.c:exit_server(614)
Server exit (normal exit)
Anyone explain this? Even just an ACK to say I'm way off the deap end and sinking quickly :)?
thanks, JES
Also, using an NT PDC to authenticate against means that my guest access fails using calls such as :
mount -t cifs //server/share /mnt/share -oguest
i.e.:
[2004/11/23 15:37:16, 1] smbd/service.c:make_connection_snum(648)
me (10.0.0.2) connect to service install initially as user nobody (uid=999, gid=999)(pid 14072)
[2004/11/23 15:37:19, 1] smbd/service.c:close_cnum(836)
me (10.0.0.2) closed connection to service install
[2004/11/25 15:03:17, 1] auth/auth_server.c:check_smbserver_security(363)
password server NT_SERVER rejected the password
JES
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
